sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
gnomus has quit []
rusty has joined #bitcoin-wizards
rusty has quit [Changing host]
rusty has joined #bitcoin-wizards
captjakk has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
surja795 has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 246 seconds]
surja795 has quit [Ping timeout: 272 seconds]
fredy1 has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
mryandao_ is now known as mryandao
riclas has quit [Ping timeout: 245 seconds]
roconnor has quit [Ping timeout: 245 seconds]
AaronvanW has quit [Remote host closed the connection]
DeanGuss has joined #bitcoin-wizards
nijak_ has quit [Quit: in the matrix]
Belkaar has quit [Ping timeout: 245 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
vtnerd has quit [Ping timeout: 244 seconds]
vtnerd_ has joined #bitcoin-wizards
Dean_Guss has joined #bitcoin-wizards
ghost43 has quit [Quit: Leaving]
ghost43 has joined #bitcoin-wizards
DeanGuss has quit [Remote host closed the connection]
captjakk has joined #bitcoin-wizards
fredy1 has quit []
alferz has joined #bitcoin-wizards
kenshi84 has quit [Ping timeout: 258 seconds]
kenshi84 has joined #bitcoin-wizards
ghost43 has quit [Remote host closed the connection]
ghost43 has joined #bitcoin-wizards
AbuseOfNotation has joined #bitcoin-wizards
kenshi84 has quit [Ping timeout: 245 seconds]
elichai2 has quit [Quit: Connection closed for inactivity]
kenshi84 has joined #bitcoin-wizards
alferz has quit [Ping timeout: 258 seconds]
kenshi84_ has joined #bitcoin-wizards
kenshi84 has quit [Ping timeout: 276 seconds]
Kmos has joined #bitcoin-wizards
_whitelogger has joined #bitcoin-wizards
alferz has joined #bitcoin-wizards
alferz has quit [Ping timeout: 258 seconds]
elichai2 has joined #bitcoin-wizards
queip has quit [Ping timeout: 272 seconds]
queip has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
spinza has joined #bitcoin-wizards
rusty has quit [Quit: Leaving.]
Kmos has quit []
Meemaw has joined #bitcoin-wizards
queip has quit [Ping timeout: 248 seconds]
queip has joined #bitcoin-wizards
rusty has joined #bitcoin-wizards
elichai2 has quit [Quit: Connection closed for inactivity]
rusty has quit [Client Quit]
queip has quit [Ping timeout: 245 seconds]
queip has joined #bitcoin-wizards
ccdle12 has joined #bitcoin-wizards
jungly has joined #bitcoin-wizards
vtnerd has joined #bitcoin-wizards
vtnerd_ has quit [Read error: Connection reset by peer]
setpill has joined #bitcoin-wizards
queip has quit [Ping timeout: 245 seconds]
queip has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
michaelfolkson has joined #bitcoin-wizards
Zenton has joined #bitcoin-wizards
Meemaw has quit []
queip has quit [Ping timeout: 245 seconds]
queip has joined #bitcoin-wizards
riclas has joined #bitcoin-wizards
retroj1 has joined #bitcoin-wizards
queip has quit [Ping timeout: 248 seconds]
michaelfolkson has quit [Remote host closed the connection]
queip has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
rusty has joined #bitcoin-wizards
rusty has quit [Quit: Leaving.]
tombusby has quit [Remote host closed the connection]
tombusby has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
spinza has joined #bitcoin-wizards
emilengler has joined #bitcoin-wizards
TheoStorm has quit [Ping timeout: 268 seconds]
AaronvanW has quit [Ping timeout: 246 seconds]
Guyver2 has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
retroj1 has quit []
Dean_Guss has quit [Remote host closed the connection]
surja795 has joined #bitcoin-wizards
surja795 has quit [Ping timeout: 276 seconds]
TheoStorm has quit [Quit: Leaving]
TheoStorm has joined #bitcoin-wizards
TheoStorm has quit [Remote host closed the connection]
Guyver2_ has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
andyvk5 has joined #bitcoin-wizards
Guyver2 has quit [Ping timeout: 264 seconds]
Aaronvan_ has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 272 seconds]
Guyver2__ has joined #bitcoin-wizards
Guyver2___ has joined #bitcoin-wizards
Guyver2_ has quit [Ping timeout: 264 seconds]
Guyver2____ has joined #bitcoin-wizards
Guyver2__ has quit [Ping timeout: 264 seconds]
Guyver2___ has quit [Ping timeout: 248 seconds]
Guyver2____ has quit [Quit: Going offline, see ya! (www.adiirc.com)]
TheoStorm has joined #bitcoin-wizards
Hansie has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
farmerwampum has quit [Ping timeout: 258 seconds]
emilengler has quit [Remote host closed the connection]
farmerwampum has joined #bitcoin-wizards
Aaronvan_ is now known as AaronvanW
elichai2 has joined #bitcoin-wizards
farmerwampum has quit [Ping timeout: 248 seconds]
farmerwampum has joined #bitcoin-wizards
<Hansie>
Hi there. In Elliptic Curve Cryptography, is it possible to verify if a Pedersen commitment `vH + kG` only has an element on `G` and nothing on `H`, thus with `v = 0`, by just evaluating the commitment on face value, without trying to solve for `k`? Commitment bases `G` and `H` are known. (`v` is the value and `k` is the blinding factor.) I know t
<Hansie>
he Pedersen commitment is computationally binding and perfectly hiding.
<sarang>
If you don't want to reveal `k` you can sign with it, since a commitment to zero is a public key
<Madars_>
yes. if dlog holds, then if you know a decommitment of the form cm = v*H, it is computationally infeasible to find another one (as that would break the dlog). but of course for *every* v', there exists a k' s.t. cm = v' * G + k' * H, so "have nothing on H" only has a computational meaning
<Hansie>
Thanks, but I am not sure I understand the answer. Is it feasible to verify in polynomial time if `v=0`?
<Hansie>
... without knowing `k`?
<sarang>
When you say "verify" do you mean that a prover wishes to prove that her commitment is to `v=0` without revealing the blinder `k`, such that a verifier can be convinced of this without attempting to brute-force blinders?
<Hansie>
Yes, thats it!
<sarang>
In the case, the prover's commitment is of the form `C=kG` and the prover can simply sign an appropriate message with `k`
<sarang>
If the discrete log between the two Pedersen generators is unknown, the prover cannot do this with nonzero value except negligibly
<sarang>
A successful signature (and properly constructed message involving `C`, etc.) convinces the verifier that the commitment was to zero
queip has quit [Ping timeout: 246 seconds]
<adiabat>
digi_james: thanks, I can answer here, I dunno if it's too noisy / OT as I also made #utreexo (which nobody uses :)
<adiabat>
1) just the inclusion proofs are enough to perform deletion operations, even if you only have roots
<Hansie>
sarang: Ok, so if we have `C = 0H + (k_1G+k_2G+k_3G)` where 3 parties each hold their `k_n` value private but are not present in this final Tx, would it still be possible? The 3 parties can sign an appropriate message with their respective `k_n` when those commitments are created.
<adiabat>
for addition operations, no proofs are needed, just the roots and the elements to add
<adiabat>
2 & 3) so far I've done everything in RAM and don't have serialization code for partial / sparse forests. It seems like it'd work OK on disk but would be slower.
<sarang>
Hansie: I suppose at that point it's basically a multisignature on the combined key... but I know that andytoshi and friends have been finding all the possible ways that multisignatures can go horribly wrong :D
queip has joined #bitcoin-wizards
<Hansie>
sarang: So if we can prove that each individual `C_n=0H+k_nG` is a commitment to zero with an appropriate signature, would it be enough to additionally verify that `C=C_1+C_2+C_3` and in so doing prove that `C = 0H + (k_1G+k_2G+k_3G)`?
Guyver2 has joined #bitcoin-wizards
<sarang>
Are the individual commitments `C_n` provided separately to the verifier?
<Hansie>
Yes, the verifier can have access to those commitments.
<sarang>
If each prover signs for their own commitment to zero, then of course the sum is also a commitment to zero
<sarang>
(this of course only holds if each prover has a commitment _to zero_ on their own)
michaelsdunn1 has joined #bitcoin-wizards
<Hansie>
Yes, and thank you sarang, this scheme is the answer I was looking for. I basically want to add a bunch of commitments together and prove that the result is a commitment to `0` without the owners of those commitments being present.
<sarang>
Wait, are the individual commitments _not_ to zero?
<sarang>
The individual signers cannot use their commitments as public keys if they are not separately zero-valued
<sarang>
In the case of the equation you listed, individual signatures don't work
<sarang>
because `v_1H+k_1G` is not a public key with known private key unless `v_1 = 0`
<aj>
sarang: you can do schnorr signatures of k_1G, k_2G, k_3G and add them up though
<sarang>
If some outside entity knew the masks, they could sign for the sum/difference... but at that point they could simply brute-force the values and recover all commitments
<sarang>
aj: wouldn't that require appropriate precommitments and such?
<sarang>
Which wouldn't work non-interactively?
<aj>
sarang: i think you just wouldn't be able to tell the difference between "it doesn't add up to 0H after all" and "someone's not following the protocol"?
<Hansie>
I thought the parties could construct their zero commitments with `k_n` and appropriate signatures when they create the actual commitments.
<sarang>
Hansie: I think I'm confused about the structure of your individual commitments... you said "zero commitments" which I assume are not the same as whatever "usual commitments" to non-zero values the signers are working with
andyvk5 has quit []
<Hansie>
Yes, someone creates a normal commitment, and at the same time a commitment to zero with the same blinding factor and signature to prove it
<sarang>
If you're including both commitments (to zero and to non-zero) it's trivial to brute-force the value if it's in a limited range
<sarang>
Not sure if that's important to your scheme or not
<Hansie>
Confidentiality is important but can be sacrificed if needed.
<sarang>
You implied that your goal is to make this non-interactive, such that any third party can perform this aggregation-to-zero?
<Hansie>
Yes, that is the goal. The additional metadata can be kept secret by the 3rd party until needed.
roconnor has joined #bitcoin-wizards
<Hansie>
Actually not any 3rd party, but a semitrusted 3rd party.
<sarang>
How much trust is semitrust? :)
<Hansie>
They will be able to brute force the values before the final transaction is posted, but never the blinding factors.
<Hansie>
Trusted not to reveal that information
suraeNoether has quit [Quit: Connection closed for inactivity]
queip has quit [Ping timeout: 272 seconds]
queip has joined #bitcoin-wizards
roconnor has quit [Quit: Konversation terminated!]
josef641 has joined #bitcoin-wizards
setpill has quit [Quit: o/]
MarcoFalke has quit [Read error: Connection reset by peer]
StopAndDecrypt_ has joined #bitcoin-wizards
StopAndDecrypt has quit [Ping timeout: 248 seconds]
hugohn has joined #bitcoin-wizards
jungly has quit [Remote host closed the connection]
Zenton has quit [Ping timeout: 272 seconds]
TheoStorm has joined #bitcoin-wizards
TheoStorm has quit [Remote host closed the connection]
josef641 has quit []
coppro has joined #bitcoin-wizards
hugohn has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
TheoStorm has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
queip has quit [Ping timeout: 244 seconds]
queip has joined #bitcoin-wizards
spinza has joined #bitcoin-wizards
fkinglag has quit [Ping timeout: 245 seconds]
TheoStorm has quit [Ping timeout: 244 seconds]
tromp has joined #bitcoin-wizards
Zenton has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
TheoStorm has quit [Remote host closed the connection]
fkinglag has joined #bitcoin-wizards
queip has quit [Ping timeout: 272 seconds]
queip has joined #bitcoin-wizards
Aaronvan_ has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 268 seconds]
sword_smith has quit [Ping timeout: 272 seconds]
michaelsdunn1 has quit [Remote host closed the connection]
coppro has quit []
jjj has joined #bitcoin-wizards
mappum has quit [Quit: Connection closed for inactivity]
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
TheoStorm has joined #bitcoin-wizards
TheoStorm has quit [Client Quit]
ccdle12 has quit [Remote host closed the connection]
ccdle12 has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
ccdle12 has quit [Remote host closed the connection]
spinza has joined #bitcoin-wizards
tuirektiujm[m] has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
<nsh>
"Abstract: We show how to perform a full-threshold n-party actively secure MPC protocol over a subgroup of order p of an elliptic curve group E(K). This is done by utilizing a full-threshold n-party actively secure MPC protocol over Fp in the pre-processing model (such as SPDZ), and then locally mapping the Beaver triples from this protocol into equivalent triples for the elliptic curve. This allows us to transform essentially {\em any} one-party
<nsh>
protocol over an elliptic curve, into an n-party one. As an example we show how to transform the shuffle protocol of Abe into an n-party protocol. This application requires us to also give an MPC protocol to derive the switches in a Waksman network from a generic permutation, which may be of independent interest."
queip has quit [Ping timeout: 245 seconds]
queip has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]